Homeland Security tallies damage from breach at USIS, and it's not pretty.

On Aug. 2, Department of Homeland Security officials revealed that the agency's contractor for conducting security clearance background checks had been hacked, and an unknown number of DHS employees' personal data from those investigations had been stolen—potentially by a state-sponsored hacker. Now the DHS has a handle on how many records were stolen from contractor USIS: at least 25,000.

The Associated Press cites information from an unnamed DHS official, who spoke with the service under the condition of anonymity. "Homeland Security will soon begin notifying employees whose files were compromised and urge them to monitor their financial accounts," the Associated Press' Joce Sterman reported.

USIS is, as the Washington Post reported, the largest contract provider of background investigations to the federal government. The attack on USIS comes after the March revelation that the US Office of Personnel Management had been attacked by hackers based in China, potentially giving them access to the personal information of millions of government employees—though OPM offficials say that no personal data appeared to have been taken in the attack before it was detected.

The US Computer Emergency Response Team (US-CERT), which is part of DHS, is currently investigating the USIS breach, as are the FBI and other federal authorities. USIS was already under fire from Congress, and faces a federal whistleblower lawsuit over the alleged "dumping" of more than 600,000 background checks for security clearances—marking as complete checks that were only partially conducted. USIS was responsible for the background checks for Edward Snowden, and for Aron Alexis—the man responsible for the shootings at the Navy Yard in Washington, DC last year.

Just another example of the truly non existent "digital security". It really seems as if there is a whole industry that calls themselves "security professionals" that turn out the be anything but. If companies like these can't secure their networks, who the hell can?

As bad as it is that those employees' financial records have been exposed, there is a bigger issue here: how much damage could be done using the stolen information as authentication credentials?

Think blackmail of people who provide security...

Well, it's not like China needs to impersonate someone to get a credit card or something. This was probably to identify the security folks and get any supplemental info they could (connections in other countries, languages spoken, assignments, etc.). This is the kind of background-noise espionage we expect from foreign countries.

During the Cold War, the list of students taking any particular military linguist course was classified, mainly for OPSEC so that a soldier's travel wouldn't raise any red flags with the Soviets.

Every single time a class of Russian linguists graduated, they'd get cards from the Soviet embassy congratulating them on mastering such a difficult language.

Imagine the NSA would use all its vast knowledge and resources to actually help secure IT infrastructure and communications instead of constantly undermining everything...

They already do that. There are two parts to the NSA, and all evidence seems to indicate they don't seem to care about each other. There is the part that is into breaking into things and all the nonsense people are up in arms about, and then there is the part that provides input to securing things.

Interesting things can happen when the part that secures things alerts a third party that they have a problem, it gets fixed, then the side that wants to break into things gets angry cause the loophole has been closed.

Don't paint things with a broad brush. Stuff like SElinux is directly because of the NSA.

USIS isn't the only company doing this kind of work, or the only one that loses applicant information. At one, just one US military installation, a new maintenance contractor used the services of Xerox to digitize paper documents submitted by employees of a previous contractor, with the digitized information going to First Advantage (Lexus Nexus) for processing in the employee vetting process.The paper documents included copies and originals of birth records, certificates, high school diplomas and GED documents, tax filings, marriage documents, medical records, military records, every form of government and corporate documentation it takes to live a person's life.All of the documents, ALL of them, were subsequently lost, misplaced, gone forever. The contractor ended up requiring every employee submit all records and documents a second time. Not an easy feat when many contract employees are in their late 50s and early 60s, and have no access to old high school records or original birth documents (think Obama), when states and school systems have lost records over the years, schools and hospitals no longer exist. It was a huge cluster jerk.In the end, no investigation was ever done into the disappearance of the thousands of paper documents, none of the companies admitted wrong doing or accepted responsibility for the lost records and personal information. And it all happened on a government contract at a US DOD installation. So, for anyone considering a career in contract government work, be forewarned.

Remember when Microsoft had to drop everything in the early 2000s to address their security problems (thus delaying Longhorn/Vista in the process)? Remember when the entire software industry had to drop everything to address the Y2K problem?

That's the level of attention that we need for our various databases and accounts. Right now.

Anything less at this point is gross negligence, and there should be jail time for anyone who behaves otherwise. I don't think people are taking the stakes seriously anymore.

There are no more excuses, right on up to the CEO and Presidential level.

As bad as it is that those employees' financial records have been exposed, there is a bigger issue here: how much damage could be done using the stolen information as authentication credentials?

Think blackmail of people who provide security...

DHS and the other TLAs do a lot to reduce the chance of blackmail -- or they're supposed to. Background checks exist largely to investigate whether there's something that could be used to blackmail you. If they find something, they make an assessment whether they think it's serious enough for you to actually risk effing jail time to not have it revealed. Usually the answer is no, but if the answer is yes, you aren't cleared.

But you have to be willing to put up with them looking under your fingernails. It's a high price, but if you pay it you know the government isn't worried about the stuff they found there, and they're usually right about whether what they know could be used against you in a serious way.

I emailed Sean about this story last night, so go me... he may have already had it in the hopper though.

Here's the thing that's not in the media though -- USIS is shut down. Pretty much completely. A coworker's husband worked for them, and on Aug 4 he was told that due to the hack all their systems (email, phones, everything) was shut down and they would not be allowed in the office. A couple weeks ago he was told that the investigation was ongoing.

This past Tuesday he filed for unemployment -- he was an hourly employee (not a contractor), and while he apparently didn't like the job, it was at least a paycheck, and at 60+ finding another job is... difficult. Particularly since his preferred line of work (manufacturing) pretty much doesn't exist in this country any more.

OPM (Office of Personnel Management) and DHS have pulled their contracts. He's been told that the company will not reopen for business until at least October. And even then it's questionable. I haven't seen any of this in news stories, but given that he had to file for unemployment, I think I'll believe his wife.

I don't know of any other hack that has led to a company being shutdown for a month... much less 2-3. It helps to remember that there are people who really do get hurt by this kind of shit.

DHS and the other TLAs do a lot to reduce the chance of blackmail -- or they're supposed to. Background checks exist largely to investigate whether there's something that could be used to blackmail you. If they find something, they make an assessment whether they think it's serious enough for you to actually risk effing jail time to not have it revealed. Usually the answer is no, but if the answer is yes, you aren't cleared.

But you have to be willing to put up with them looking under your fingernails. It's a high price, but if you pay it you know the government isn't worried about the stuff they found there, and they're usually right about whether what they know could be used against you in a serious way.

This is why homosexuals couldn't get security clearances for a long time. Even if you were out of the closet, they assumed your lover or future lover might not be. There was some arduous process to get an exception, but it was probably easier to hide your orientation from the government than it was to get the exception.

The policy did change at some point, but it was due to changing social acceptance of gays, not because the FBI investigators suddenly realized they were discriminating.

DHS and the other TLAs do a lot to reduce the chance of blackmail -- or they're supposed to. Background checks exist largely to investigate whether there's something that could be used to blackmail you. If they find something, they make an assessment whether they think it's serious enough for you to actually risk effing jail time to not have it revealed. Usually the answer is no, but if the answer is yes, you aren't cleared.

But you have to be willing to put up with them looking under your fingernails. It's a high price, but if you pay it you know the government isn't worried about the stuff they found there, and they're usually right about whether what they know could be used against you in a serious way.

This is why homosexuals couldn't get security clearances for a long time. Even if you were out of the closet, they assumed your lover or future lover might not be. There was some arduous process to get an exception, but it was probably easier to hide your orientation from the government than it was to get the exception.

The policy did change at some point, but it was due to changing social acceptance of gays, not because the FBI investigators suddenly realized they were discriminating.

... and because getting that government job required hiding that fact, it thus become something that could be used against you through blackmail, anyone noticing a self-fulfilling prophecy here?

I've had to give date of birth and SSN a number of time for base pass clearance. (A bare minimum background check.) I always assumed the data wasn't secure, but such data is easily obtained by hackers anyway.

But I always thought it was weird that the government didn't know this data anyway. Perhaps it was to insure they investigated the right person.

Imagine the NSA would use all its vast knowledge and resources to actually help secure IT infrastructure and communications instead of constantly undermining everything...

They already do that ...

Well, I think they used to do that. Like back when the NSA secretly strengthened IBM's DES algorithm with "better" S-boxes making the encryption standard resistant to an attack vector that apparently was discovered by the NSA before anyone else. They no longer seem to see that as something desirable.

As bad as it is that those employees' financial records have been exposed, there is a bigger issue here: how much damage could be done using the stolen information as authentication credentials?

The background check data includes their SSN, all their recent addresses, a financial background check, and pretty much any relationship data they have ,depending on what level clearance they were cleared for. At least, that is, if they do it right.

IOPM (Office of Personnel Management) and DHS have pulled their contracts. He's been told that the company will not reopen for business until at least October. And even then it's questionable. I haven't seen any of this in news stories, but given that he had to file for unemployment, I think I'll believe his wife.

I don't know of any other hack that has led to a company being shutdown for a month... much less 2-3. It helps to remember that there are people who really do get hurt by this kind of shit.

Probably not the hack but the evidence of sloppiness and deception that were revealed along with the hack were what got their contracts pulled. Your friend should consider contacting a lawyer, as the JD may go after the company and he wants to be a witness and not a defendant. It can be difficult to know which the JD considers you.

I've had to give date of birth and SSN a number of time for base pass clearance. (A bare minimum background check.) I always assumed the data wasn't secure, but such data is easily obtained by hackers anyway.

But I always thought it was weird that the government didn't know this data anyway. Perhaps it was to insure they investigated the right person.

That's exactly the reason. I have a relatively unusual name and I still get several dozen matches in America on a Google search. But there's only one person that has my SSN.

There are at least two structural problems with the government security apparatus, on both the investigation side (the people who actually conduct the investigations) and the management side (the functionaries who "manage" the process):

One, a lot of the investigators are former military or law enforcement, and aren't qualified for other kinds of jobs. So you get a bunch of investigators that, to put it politely, have a chip on their shoulders and are used to being obeyed by civilians, but don't get a lot of respect in their job - they don't make any decisions, they just go gather information. Kind of a clerical position - not that there's anything wrong with that :-/, but not what they are used to. So,the quality of their work isn't necessarily the best.

Two, many of the manager types are intent on moving up, so they are focused on brown nosing their bosses for good recommendations and are constantly looking for other jobs in the organization, neither of which is conducive to quality work. They pay just enough attention to their current gig to do just good enough to get that transfer into a sexier part of the org.

Huh. When I worked a shitty job at the bottom of the DHS totem pole (TSA), they lost my SF-85 (the fifteen page background check form). Along with a few thousand others. After two years of employment, they told us we all had to fill the thing out again because they weren't sure if anyone's background check was actually done. Or who, if anyone, actually had all that paperwork.

Of course, they couldn't blame Chinese hackers for disappearing paperwork. But at least they paid the same worthless contractor to gather the same information again.

Good to see they're just as careful with the information now that it's on a computer. Incompetent, but faster!

Huh. When I worked a shitty job at the bottom of the DHS totem pole (TSA), they lost my SF-85 (the fifteen page background check form). Along with a few thousand others. After two years of employment, they told us we all had to fill the thing out again because they weren't sure if anyone's background check was actually done. Or who, if anyone, actually had all that paperwork.

Of course, they couldn't blame Chinese hackers for disappearing paperwork. But at least they paid the same worthless contractor to gather the same information again.

Good to see they're just as careful with the information now that it's on a computer. Incompetent, but faster!

At least your data was handled with blue gloves!

I used to wonder why these database companies grow like the Borg, especially Oracle. Unless you know what you are doing, it is best to have one company manage all your data. Otherwise stuff slips through the cracks.

Companies are like people, i.e. pack rats. They generally don't toss data, but they often can't locate it either. You can rest assured your private data is in some storage locker and will appear on a bad reality TV show some day.

Remember when Microsoft had to drop everything in the early 2000s to address their security problems (thus delaying Longhorn/Vista in the process)? Remember when the entire software industry had to drop everything to address the Y2K problem?

That's the level of attention that we need for our various databases and accounts. Right now.

Anything less at this point is gross negligence, and there should be jail time for anyone who behaves otherwise. I don't think people are taking the stakes seriously anymore.

There are no more excuses, right on up to the CEO and Presidential level.

Are you referring to Microsoft or the government? Both standards of leaky systems.

If companies like these can't secure their networks, who the hell can?

They CAN secure their networks. But that costs money, time and resources.

And no CEO can possibly live on any less than 80% of the income of the company, so why pay for security?They aren't accountable in the end, so it can be someone elses problem.

When is the last time you saw anyone connected with stupidity this grand face anything more than harsh words and having to wait 6 months for the company to rebrand and go right back to being as incompetent as before?

I am actually surprised that background checks for security clearance are delegated to contractors. This is wrong on several levels.

First, security clearance exists to preserve state secrets, this is not something that should be delegated to any kind of non-governmental institution, it is a state privilege and duty to provide this function. Should we also delegate police functions to outside contractors while we are at it? We know how well this worked in Irak.

Second, this is technically problematic as the theft of these documents prove. No amount of paperwork will guarantee that contractors abide by proper security measures and verifying it on-site likely would cost as much than for the government the data by itself in the first place. Outsourcing this task is a false saving and whoever decided it was a good idea (probably during-or-after the Reagan era I guess? The article should have provided this information for context.) must now measure how much damage this great idea has allowed China to wield upon the US.

Third, as has been said, why is this information on a network connected to the Internet? As much as I hate state secrets because they are so often used to conceal information which should be visible to citizens, this information should be in a fully air-gapped network. There is so much actionable information which can be obtained via the list of people with a clearance that the first priority of anyone handling that list, regardless of any other functional imperative should be to "keep it out of harm's way".

Finally, it is regrettable the article does not try to evaluate how much damage this might cost. As others have mentioned this list essentially gives foreign powers a list of easy targets to hack into and/or blackmail. Knowing two or three people with security clearances doesn't help you much but when you get a whole population of them, you are bound to find something you can blackmail them with and likely as many entry points into all kind of classified data.

It's pretty clear that the government security establishment must be feeling the heat pretty hard now:they now have 25000 entry points into classified data to monitor and secure, that's quite daunting if possible at all.

I'm trying to think of the next big thing I can claim to do for money but can't and people will still pay me anyway.

Nice work if you can get it.

But on a more serious note. It will only get worse.

Since it has been observed by many who "fly signs", or hold signs scrawled out on pieces of cardboard by the side of the road, that such solicitation of donations can be more profitable than any of the usual ways of obtsining income, one might expect an increase in white collar solicitors who used to work for government contractors.

I understand that there are few, if any, fans of the DHS and NSA who post at Ars. But what purpose does it serve to blame the victim(s)? "Americans" and America-haters are so quick to level accusations of stupidity, incompetence or evil at the NSA, CIA, DoD, Congress, the President, ad nauseam. But why not focus the blame at the source of the attacks, and, most importantly, its sponsors?